Once upon a time, there were three little pigs. These guys were entrepreneurs.
The first little pig, Chaff, developed a digital application for a health system. The application was well received so Chaff did not think it was necessary to conduct any type of risk assessment. But the application was hosted in an unsecured location! When hurricane season hit, a storm blew out the power and his services were unavailable. Chaff’s house was down for a very long time. He lost his customers and his reputation.
The second pig, Rod, chuckled smugly about his brother’s problems. He was smart enough to use a secure third-party data center provider to host his application. They promised him it was fully compliant. A risk assessment was next on his list, but it sounded complex, so he decided to use a tool he found online. It gave him the answer he wanted and he checked that box. As a result, he missed the fact that employees were downloading sensitive data on their unsecured laptops. One of his employees had their laptop stolen, resulting in a significant breach of sensitive data. Rod had to report this to OCR and the resulting fine, cost of remediation and impact to his reputation put him out of business.
The third pig, younger brother Brix, had sought professional advice and put in place the foundations of a robust IS framework. He hired an independent privacy and security consultant to help guide him through a risk assessment of his business. He was able to identify all the policies and procedures he needed to put in place and implemented a workflow management tool that made managing and demonstrating compliance simpler and more affordable. Brix could impress his customers with how easily he was able to demonstrate the effectiveness of his security program. Brix business goes from strength to strength, and he is eventually able to hire his brothers, but only after he makes them take his mandatory information security training.
The moral of this story:
- Don’t skip conducting a risk assessment
- While there is no shortcut to conducting a full risk assessment, there are ways to make it less painful
- Start out by conducting simple control audits, but do these in preparation for a formal risk assessment. Not instead of one.
- Seek help from a qualified third party. This will ultimately be cheaper and more efficient than doing it your self.
- Don’t stop at the risk assessment. Once you have highlighted gaps, start plugging them. Use a compliance tool like MyVCM to guide you through the implementation process and manage the compliance workflow for you.
- Remember, the Big Bad Wolf is real. Security breaches due to ineffective practices occur daily (see my previous post “It’s the People, Stupid.”). If you are not prepared for it, once he starts ‘huffing and puffing’ it may already be too late.